Hi,

Analyzing the code, we have seen in /src/vendor/deployJava.js, at method launchWebStartApplication there is a assignment from document.documentURI to a javascript variable that after this is used to compose the document DOM.

var u = null;
if (document.documentURI) {
u = document.documentURI
}
if (u == null) {
u = document.URL
}
var p = this.getBrowser();
var q;
if (p == "MSIE") {
q = ''
} else {
if (p == "Netscape Family") {
q = '<embed type="application/x-java-applet;jpi-version=' + this.firefoxJavaVersion + '" width="0" height="0" launchjnlp="' + r + '"docbase="' + u + '" />'
}
}
if (document.body == "undefined" || document.body == null) {
document.write(q);
document.location = u
} else {
var t = document.createElement("div");
t.id = "div1";
t.style.position = "relative";
t.style.left = "-10000px";
t.style.margin = "0px auto";
t.className = "dynamicDiv";
t.innerHTML = q;
document.body.appendChild(t)
}
},

This allows a potential attacker to execute javascript code through the URL as describer in this OWASP page: DOM Based XSS

I think that this code requires the input being scaped or similar as described in OWASP DOM Based XSS Prevention Cheat Sheet

Do you was able to exploit it?

Not really, I didn't have enough time to play with de code :)